Active Directory comes to Linux with Samba 4

Enterprise networks now have an alternative choice to Microsoft Active Directory (AD) servers, with the open source Samba project aiming for feature parity with the forthcoming release of version 4, according to Canberra-based Samba developer Andrew Bartlett.

Speaking at this year's linux.conf.au Linux and open source conference in Hobart, Bartlett said Samba 4 is aiming to be a replacement for AD by providing a free software implementation of Microsoft's custom protocols.

Because AD is "far more than LDAP and Kerberos", Bartlett said, Samba 4 is not only about developing with Microsoft's customisation of those protocols, it is also about moving the project beyond just providing an NT 4 compatible domain manager.

"I've been working on Samba 4 for four years to try and provide a way to not run Microsoft servers at the centre of the network, which then leads to the clients," he said. "But I am a realist and we have implemented the logon server for Samba 4."

Bartlett admitted Samba has a "nasty" reputation for being "impossible to configure" and believes Samba 4 should "just work" without administrators needing to read through documentation first.

"For example, in Samba 4 we generate the DNS configuration and have an optional OpenLDAP backend and we have configured this as we know how Samba needs this setup."

Over the past year Samba 4 has added multi-master replication leveraging OpenLDAP, making Samba no longer a single-server implementation.

"Our users have also demonstrated how smart card logins work. I barely had to do anything in Samba 4 to get this to work. There is support for group policy as Windows clients are impossible to manage without it."

Samba also changed its scripting language to Python which Bartlett says should be easier for administrators, and there are bindings for other tools.

Also new is NTP signing support which allows Windows clients to accept a valid time from a linux server, which is needed for Kerberos authentication to work. Microsoft's own NTP signing protocol is non-standard and uses AD. This has been implemented in Samba 4 and "to say the NTP community was not happy is an understatement".

Bartlett said Samba 4 has had a lot of input from system administrators, but still needs more help.

"Samba is not just C anymore and we are doing more in scripting languages to make it more flexible," he said, adding some new features in Windows are easy to add to Samba via scripting.

"My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry. We spent a week at Microsoft and discovered Windows would use a call with a string and fill it with random crap. Samba just sent a password of zero to the string and this is probably not the best for security! Samba now has a conversion logic that handles random characters and is then doing normal Kerberos functions on it."

Bartlett said the Samba team now has a good relationship with Microsoft and the password bug was never in any of its documentation so "they never thought it existed".

Microsoft has also provided a copy of its AD schema which can be worked around by the Samba team.

"We still need a lot of help. For example, how much more do we need to do to support Exchange? Letting me know what works and what doesn't is incredibly valuable.”

If people want a Web interface to Samba 4 that is something the community may have to develop. Bartlett said there have been efforts to do this in the past, but they have been removed due to lack of support.

Featured Whitepapers

Community Comments

New technology is great ! all for it though Telstra I believe should be getting the current network up to scratch. I live in Sydney and we are on dial up speeds through a Telstra exchange and advised from Telstra to wait for the NBN ...

Copyright 2015 IDG Communications. ABN 14 001 592 650. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.